Good day!
I decided to hypervisor my Proxmox into a separate vlan.
they are in a separate bridge
They have communication with the whole network, but there is no one else. the VM on the 110th vlane does not have a connection either.
As far as I understand, the tags are cut in bridge, but I do not know how to win
TCPDUMP Sender
Here is the dump of the host icmp
From your Winbox screenshot it seems to me that you’ve got the vlan settings in Mikrotik totally wrong.
If it was not clear from the official documentation, try to read this topics.
/interface bridge port
add bridge=bridge1 disabled=yes interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge110 interface=ether22 pvid=110
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether24
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=ether1-master
add bridge=bridge100 frame-types=admit-only-untagged-and-priority-tagged interface=vlan23.100 pvid=100
add bridge=bridge100 frame-types=admit-only-untagged-and-priority-tagged interface=vlan24.100 pvid=100
add bridge=bridge110 interface=vlan24.110 pvid=110
/interface bridge vlan
add bridge=bridge110 tagged=ether22 untagged=vlan24.110,vlan23.110,vlan22.110 vlan-ids=110
add bridge=bridge100 tagged=ether23,ether24 untagged=vlan23.100,vlan24.100 vlan-ids=100
/interface vlan
add interface=ether22 name=vlan22.110 vlan-id=110
add interface=ether23 name=vlan23.100 vlan-id=100
add interface=ether23 name=vlan23.110 vlan-id=110
add interface=ether24 name=vlan24.100 vlan-id=100
add interface=ether24 name=vlan24.110 vlan-id=110
If I pvid on the bridge I put 1, all communication with the server ceases to work (VMs are available).
I do not understand how to create a separate bridge for the hypervisor, so that the VM works in pvid1.
You are mixing together the two approaches described in the topic I’ve referred to.
You can either use one /interface vlan vlan-id=x on each ethernet interface and bridge these /interface vlan together in one bridge per VID, or use a single bridge for several VLANs, and only in this case it makes sense to use the rules under /interface bridge vlan.
Have a look at these two pictures to see the difference between the approaches.
And if you use one Bridge and Bridge/VLAN your software need to be >=6.41 (supports the new VLAN aware Bridges)
With all due respect, Jotne, what you write is not correct.
Even ROS < 6.41 can deal with VLANs on bridge. The only new thing is that it is possible to set-up VLAN filtering on bridge ports with newer ROS. I’m not sure if CRS326 has /interface ethernet switch subtree available, but if it does, then it’s quite possible to go with single bridge approach with ROS < 6.31 as well. The concept of /interface vlan interfaces is exactly the same.
/interface bridge
add admin-mac=CC:2D:E0:28:2D:44 arp=proxy-arp auto-mac=no comment="created from master port" fast-forward=no name=bridge1
add fast-forward=no name=bridge100 vlan-filtering=yes
add arp=proxy-arp fast-forward=no name=bridge110 protocol-mode=none pvid=110 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 disabled=yes interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge110 interface=ether22 pvid=110
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether24
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=ether1-master
add bridge=bridge100 interface=vlan23.100
add bridge=bridge100 interface=vlan24.100
add bridge=bridge110 interface=vlan24.110 pvid=110
/interface bridge vlan
add bridge=bridge110 tagged=ether22 untagged=vlan24.110,vlan23.110,vlan22.110 vlan-ids=110
add bridge=bridge100 tagged=ether23,bridge100,ether24 untagged=vlan23.100,vlan24.100 vlan-ids=100
CRS326-24G-2S+ ROS v6.42.6
I put the pvid = 1 bridge and interfaces vlan23.100 vlan24.100, it works all the same as with pvid 100. And there is no connection between vlan23.100 and vlan24.100.
Ups, my fault. Writing before thinking…
I’m very grateful for your advice.
I do not understand how to apply your advice to my situation, since I have vlan interfaces.
Or, if I understand correctly, I do not need to create vlan interfaces.
And all this is done through vlans ids on ether23, ether24. But how then to separate them into a separate bridge?
If you are not familiar with new 6.41 vlans. This pdf doc is very useful.
I did learn VLAN on the way when I did create this thread:
http://forum.mikrotik.com/t/sofware-vlan-bridge-on-ruteros-explained/122534/1
It will give you some tips on how to do it.
/interface bridge
add admin-mac=CC:2D:E0:28:2D:44 arp=proxy-arp auto-mac=no comment="created from master port" fast-forward=no name=bridge1
add fast-forward=no name=bridge100
add arp=proxy-arp fast-forward=no name=bridge110 protocol-mode=none pvid=110 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 disabled=yes interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge110 disabled=yes interface=ether22 pvid=110
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether24
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=ether1-master
add bridge=bridge100 interface=vlan23.100
add bridge=bridge100 interface=vlan24.100
add bridge=bridge110 interface=vlan24.110 pvid=110
/interface bridge vlan
add bridge=bridge110 untagged=vlan24.110,vlan23.110,ether22 vlan-ids=110
Disconnected filtering in bridge100 and pvid = 1, in bridge vlan turned off the rule.
And still there is no connection between vlan23.100 and vlan24.100.
I use this approach to assign an ip address to the entire bridge100.
I did everything according to this scheme https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN
Under the new scheme, I do not understand how to hook up the network vlan23.100 and vlan24.100
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#VLAN_Example_.232_.28Trunk_and_Hybrid_Ports.29
You cannot make ether23/ether24 simultaneously member ports of bridge1 and carrier interfaces for /interface vlan. If you need tagless frames on ether23 and ether24 to be bridged together and at the same time you need to bridge tagged frames between them, you must replace
/interface vlan
add interface=ether22 name=vlan22.110 vlan-id=110
add interface=ether23 name=vlan23.100 vlan-id=100
add interface=ether23 name=vlan23.110 vlan-id=110
add interface=ether24 name=vlan24.100 vlan-id=100
add interface=ether24 name=vlan24.110 vlan-id=110
by
/interface vlan
add interface=bridge1 name=vlan100 vlan-id=100
add interface=bridge1 name=vlan110 vlan-id=110
and forget about bridge100 and bridge110 completely - the IP configuration which you have attached to bridge100 and bridge110 has to be attached to vlan100 and vlan110 respectively instead.
If you want to make sure that frames tagged with some VID are only allowed to get in on the ports on which they are permitted, you have to configure vlan-filtering=yes and ingress-filtering=yes on bridge1 and also ingress-filtering=yes on the ports as you define their membership in the bridge.
So the complete configuration would be as follows:
/interface bridge
add admin-mac=CC:2D:E0:28:2D:44 arp=proxy-arp auto-mac=no comment="created from master port" fast-forward=no name=bridge1 vlan-filtering=yes ingress-filtering=yes
/interface vlan
add interface=bridge1 name=vlan100 vlan-id=100
add interface=bridge1 name=vlan110 vlan-id=110
/interface bridge port
add bridge=bridge1 interface=ether1-master pvid=1 ingress-filtering=yes
add bridge=bridge1 disabled=yes interface=ether2 pvid=1 ingress-filtering=yes
add bridge=bridge1 interface=ether3 pvid=1 ingress-filtering=yes
add bridge=bridge1 interface=ether4 pvid=1 ingress-filtering=yes
add bridge=bridge1 interface=ether5 pvid=1 ingress-filtering=yes
add bridge=bridge1 interface=ether6 pvid=1 ingress-filtering=yes
add bridge=bridge1 interface=ether7 pvid=1 ingress-filtering=yes
add bridge=bridge1 interface=ether8 pvid=1 ingress-filtering=yes
add bridge=bridge1 interface=ether9 pvid=1 ingress-filtering=yes
add bridge=bridge1 interface=ether10 pvid=1 ingress-filtering=yes
add bridge=bridge1 interface=ether11 pvid=1 ingress-filtering=yes
add bridge=bridge1 interface=ether12 pvid=1 ingress-filtering=yes
add bridge=bridge1 interface=ether13 pvid=1 ingress-filtering=yes
add bridge=bridge1 interface=ether14 pvid=1 ingress-filtering=yes
add bridge=bridge1 interface=ether15 pvid=1 ingress-filtering=yes
add bridge=bridge1 interface=ether16 pvid=1 ingress-filtering=yes
add bridge=bridge1 interface=ether17 pvid=1 ingress-filtering=yes
add bridge=bridge1 interface=ether18 pvid=1 ingress-filtering=yes
add bridge=bridge1 interface=ether19 pvid=1 ingress-filtering=yes
add bridge=bridge1 interface=ether20 pvid=1 ingress-filtering=yes
add bridge=bridge1 interface=ether21 pvid=1 ingress-filtering=yes
add bridge=bridge1 interface=ether23 pvid=1 ingress-filtering=yes
add bridge=bridge1 interface=ether24 pvid=1 ingress-filtering=yes
add bridge=bridge1 interface=sfp-sfpplus1 pvid=1 ingress-filtering=yes
add bridge=bridge1 interface=sfp-sfpplus2 pvid=1 ingress-filtering=yes
/interface bridge vlan
add bridge=bridge1 vlan-ids=1 untagged=bridge1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24,sfp-sfpplus1,sfp-sfpplus2
add bridge=bridge1 vlan-ids=100 tagged=bridge1,ether22,ether23,ether24
add bridge=bridge1 vlan-ids=110 tagged=bridge1,ether22,ether23,ether24
The configuration above supposes that on ether22, ether23, ether24 frames belonging to VLAN1 come/leave taggles and frames belonging to VLANs 100 and 110 come/leave tagged.
That’s right now while at work there were no employees checked, and everything works! Thank you very much!
If it does not make it difficult for you to show the configuration, if you did the same thing, create interfaces.
A few minutes later realized that something was wrong.
If from another network I try to get on ip in the bus 100 then the answer will come that there is no route, I go to ARP and there is no poppy in the requested ip in the mobile 100.
I go straight to the server and start pinging the microphone, there is no answer, I ping any machine from another network, not the server, the ping passes and right now you can ping Mikrotik and connect to it and its MAC appears in ARP.
And the opportunity to connect to it, after a couple of minutes you need to repeat everything for work
/interface vlan
add interface=bridge1 name=vlan100 vlan-id=100
add interface=bridge1 name=vlan110 vlan-id=110
/interface bridge
add admin-mac=CC:2D:E0:28:2D:44 arp=proxy-arp auto-mac=no comment="created from master port" fast-forward=no name=bridge1 vlan-filtering=yes
add disabled=yes fast-forward=no name=bridge100
add arp=proxy-arp disabled=yes fast-forward=no name=bridge110 protocol-mode=none pvid=110 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 disabled=yes interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge1 interface=ether22 pvid=110
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether24
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=ether1-master
add bridge=bridge100 disabled=yes interface=vlan23.100
add bridge=bridge100 disabled=yes interface=vlan24.100
add bridge=bridge110 disabled=yes interface=vlan24.110 pvid=110
/interface bridge vlan
add bridge=bridge110 disabled=yes tagged=bridge1,ether23,ether24 untagged=ether22 vlan-ids=110
add bridge=bridge100 disabled=yes tagged=ether23,bridge1,ether24 vlan-ids=100
add bridge=bridge1 untagged=ether1-master,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether23,ether24,sfp-sfpplus1,sfp-sfpplus2 vlan-ids=1
add bridge=bridge100 disabled=yes tagged=bridge100,ether24 untagged=vlan24.100 vlan-ids=""
add bridge=bridge1 tagged=bridge1,ether23,ether24 untagged=ether22 vlan-ids=110
add bridge=bridge1 tagged=bridge1,ether23,ether24 vlan-ids=100
Sorry, but from your description I haven’t understood what actually happened. If you use a machine translator (as the use of word microphone suggests), please edit the post and add also the original text in Russian to it.
I’m sorry that I did not check how the interpreter translated.
If from the network in vlan1 (192.168.1.33) to try to get on ip in vlan100 for example (10.10.3.2) then the answer will come that there is no route, I go to IP-> ARP and there is no MAC for the requested ip in vlan100.
I go straight to the server (10.10.3.2) I start pinging Mikrotik, there is no answer, I ping any machine from the network to (vlan1 or vlan110), ping passes and right now you can ping Mikrotik (10.10.3.1) and connect to it and its MAC appears in ARP, and the ability to connect to it. After a couple of minutes I have to repeat everything for work.
Простите, что не проверил как переводчик перевел.
Если из сети в vlan1(192.168.1.33) пытаться попасть на ip в vlan100 например (10.10.3.2 )то придет ответ, что нет маршрута, захожу в IP-> ARP и там нет MAC у запрашиваемого ip в vlan100.
Непосредственно подхожу к серверу (10.10.3.2 ) начинаю пинговать Mikrotik , нет ответа, пингую любую машину из сети в (vlan1 или vlan110) ,пинг проходит и уже сейчас можно пинговать Mikrotik (10.10.3.1) и к нему подключаться и его MAC появляется в ARP, и возможность к нему подключиться. Через пару минут приходится все повторять для работы.
Okay, so the Mikrotik does have a local IP address in each VLAN, so one IP configuration is attached to the bridge1, another one to /interface vlan name=vlan100, and another one to /interface vlan name=vlan110. It was not clear to me before whether this was done properly.
What does the command put [/interface bridge get bridge1 protocol-mode] show? If anything else than (что-либо другое, чем) none, change that using /interface bridge set bridge1 protocol-mode=none and try again.
Also, what do put [/interface bridge get bridge1 arp], put [/interface vlan get vlan100 arp], put [/interface vlan get vlan110 arp] show? The default value is enabled, so if there is anything else, it must be a consequence of some experiments; make sure that it is set to enable on all three interfaces and try again.
/ interface bridge get bridge1 protocol-mode did not show anything, just like [/ interface vlan get vlan100 arp] [/ interface vlan get vlan110 arp]. ( in Winbox arp = enebled)
But I in Winbox found the setting and fixed it to none. The value was RSTP.
And everything worked as it should!
sindy thank you very much! What is the time to help understand and better understand how Mikrotik works.
/interface bridge get bridge1 protocol-mode ничего не показало, так же и [/interface vlan get vlan100 arp] [/interface vlan get vlan110 arp]. (arp=enebled)
Но я в Winbox нашел настройку и исправил на none. Изночально значение было RSTP.
И все заработало как надо!
sindy большое вам спасибо! Что находите время помочь разобраться и лучше понять как работает Mikrotik.
/interface bridge get bridge1 protocol-mode doesn’t show anything; you have to use the complete format of the command I gave, put [/interface bridge get bridge1 protocol-mode]. The reason is that the output value of the command is not visualized automatically, put [command] is necessary to visualize the output value.
Other than that, are you 100% sure that the network topology is exactly the one indicated on your diagram? Because normally the RSTP running on a bridge should not break anything, so it may be that there is some loop in one of the VLANs which makes one member port of a bridge receive BPDUs sent by another port of the same bridge, so the STP disables one of the ports.
Google translate does change the meaning a bit; what follows is a manually corrected result of Google translation:
Кроме того, вы на 100% уверены, что топология сети точно такова, как указано на вашей диаграмме? Поскольку, как правило, работающий на мосту RSTP не должен ничего ломать, поэтому может быть, что в одной из VLAN существует какая-то петля, которая заставляет один порт - член моста получать BPDU, отправленные другим портом того же моста, поэтому STP отключает один из этих портов.